Malicious PDF — malware analysis report

Static analysis result for SHA-256 b711a91886603e61…

MALICIOUS

PDF

52.6 KB Created: 2020-11-28 09:07:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a005ac28eebc9cf13ae45bfc94c449a0 SHA-1: 94ed27357a1d04c617c70e465e8dbf0874168f06 SHA-256: b711a91886603e61bb1a002a986fff380dc16f5ca278a6d023b4ac1d95105161
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous external links, a common tactic for SEO link farms and phishing. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior, indicating a malicious intent to redirect users. While no scripts were explicitly extracted, the presence of embedded URLs and the ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggest a phishing or malicious redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5258

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/aws?utm_term=free+printable+birthday+invitation+templates+online
    • https://karezolakep.weebly.com/uploads/1/3/1/3/131398125/452deb42cf3cffe.pdf
    • https://cdn-cms.f-static.net/uploads/4476750/normal_5fa875f9dc0bc.pdf
    • https://xikunamoveg.weebly.com/uploads/1/3/4/5/134596382/ae2bb1.pdf
    • https://cdn-cms.f-static.net/uploads/4482631/normal_5fa7b43b29a60.pdf
    • https://uploads.strikinglycdn.com/files/1b34a421-b4dc-42ee-8694-9b42860a11b3/leronubulixifojuxune.pdf
    • https://uploads.strikinglycdn.com/files/09e7b26e-8337-4da9-b659-76bbbc5b12c2/xitifujaz.pdf
    • https://s3.amazonaws.com/gozifep/90748295591.pdf
    • https://uploads.strikinglycdn.com/files/53c8a078-cb72-4ffa-b4b3-c08197fd4957/jagamijomapuxipalu.pdf
    • https://s3.amazonaws.com/ginutu/badebutijepuvavupazaxo.pdf
    • https://uploads.strikinglycdn.com/files/8f8737ce-c328-4a09-b781-6ce4d06c9e62/97971269124.pdf
    • https://uploads.strikinglycdn.com/files/1ca67d49-42ed-45b1-91c6-bc06f712f17a/76970882999.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.